|
|
Posted by Christoph Burschka on 05/22/07 06:43
> <FORM ACTION="insert_data.php" METHOD=POST>
That doesn't have anything to do with register_globals (although on a
side note, I'd generally advise <form action="insert_data.php"
method="post"> because it's both easier to read and compliant with
XHTML). Look at the insert_data.php script instead.
In insert_data.php, the form values you sent should be referenced like
this: $_POST['field1'], $_POST['field2'], etc.
If they're used directly as $field1, $field2, etc., your code is
depending on register_globals to work, and may be vulnerable to a
certain kind of injection attacks. Just replace $field1 with
$_POST['field1'], and it will be okay.
Of course, even a script that does not depend on register_globals is
only safe after register_globals is actually disabled.
--
Chris
[Back to original message]
|